Facebook and Uber APIs Failure

Learn how Facebook’s and Uber's APIs failed due to security vulnerabilities.

APIs can become vulnerable, allowing hackers to take over the control of the system. This can be a root cause of API failure. The big tech companies have always been the target of hackers trying to access the data of millions of users. This lesson discusses events that occurred in recent years with Facebook and Uber because both companies had similar security vulnerabilities.

Facebook API failure#

In 2018, Facebook discovered a massive data breach of 50 million (the claim was later modified to about 87 million) accounts. The hackers used the video upload functionality created in 2017 by Facebook for the data breach. A feature called "View as" in users' profiles lets users see how their profile looks to other users. It also lets users customize it to see their profile through a specific user’s perspective through "View as."

How did it happen? #

A vulnerability in Facebook's code impacted the "View as" feature by generating access tokens for Facebook users whose profile was being viewed along with other data. This enabled hackers to steal users' access tokens through which they got access to the private information of millions of users. Unfortunately for Facebook, their organization only learned about this after the “View as” feature was misused.

Facebook API failure due to returning excessive data
Facebook API failure due to returning excessive data

Analysis#

If we analyze the way an API was breached, we can see that these are the types of vulnerabilities that caused this exposure:

  • Excessive data exposure: The API endpoint returning data for the viewed profile contained excessive data, such as access tokens of the users whose profile was being viewed.

  • Weak authentication/authorization: The API endpoint was vulnerable due to weak authentication. It returned the access token of the users without authenticating or authorizing the users’ requests.

Uber API failure#

In 2018, a cybersecurity researcher found a breach in Uber and reported it to them so they could fix the vulnerability before the actual users were unaffected. According to him, Uber left an API endpoint vulnerable that triggered when the driver joined through a referral link. This vulnerability allowed attackers to exploit Uber's system.

How did it happen?#

The hackers got access by sending an API request that includes a user's phone number or email address to acquire the UUID of any user without any authorization. After acquiring a UUID in response to an API request, the same UUID could be used to send another request to access sensitive information, such as an access token, an address, a location, etc. The researcher ultimately compromised a test account through access tokens by requesting rides and getting payment information. Luckily, this was reported voluntarily to Uber by the researcher; otherwise, it could have led to a massive data exposure.

Uber API failure due to returning excessive data without authorization
Uber API failure due to returning excessive data without authorization

Analysis#

The following vulnerabilities caused this exposure:

  • Excessive data exposure: The response of the API contains data with all the details of the user with its UUID. The response contained the data the client didn't use since it asked for consent to the request.

  • BOLA: The excessive data exposure allowed users to tweak the IDs of the users to access the data of other users. Also, the API, without validating the authenticity of the user, returned all the user's details.

  • Weak authentication/authorization: The API endpoint was vulnerable due to weak authentication or authorization through which the hackers breached Uber's data. It returned users’ details without authenticating it from the original users and verifying whether the client was authorized to fetch such details.

Mitigation strategies employed#

After the breach, Facebook and Uber immediately resolved the issues before any real harm was caused. Facebook and Uber have taken similar steps to mitigate failure as they faced similar security vulnerabilities, as listed below:

  • Facebook and Uber fixed the vulnerabilities by securing the endpoints by implementing techniques allowing the endpoints to send data without IDs or access tokens.

  • Facebook and Uber ensured that no endpoint returned excessive data to unauthorized users to avoid BOLA attacks. Only the required data was returned to the clients.

  • Both Facebook and Uber started programs involving cybersecurity researchers to find vulnerabilities in their APIs and fix them before they catch the eye of hackers.

  • Facebook changed its development approach from a breaking things and moving fast mentality to being more cautious and slower to test its codes properly after this attack. This is because it was the most significant breach, and it enabled hackers to access Facebook's CEO's data as well.

Generally, a service provider should secure all the API endpoints, whether they are public facing or not. Moreover, it should show very limited information to the users who try to access others’ data. A check (filtration) should be applied to response data at the API level to verify they do not contain any potential IDs, tokens, or passwords.

Amazon S3 Service Disruption

What’s Next?